Three-year-old IBM patch for critical Java flaw is broken

Attackers can easily bypass the patch to exploit a vulnerability that allows them to escape from the Java security sandbox

Security researchers have found that a patch released by IBM three years ago for a critical vulnerability in its own Java implementation is ineffective and can be easily bypassed to exploit the flaw again.

The broken patch was discovered by researchers from Polish firm Security Explorations who found the vulnerability and reported it to IBM in May 2013. IBM issued a fix in a July 2013 update for its Java development kit.

IBM maintains its own implementation of the Java virtual machine and runtime. This version of Java is included in some of the company's enterprise software products, as well as in the IBM Software Developer Kit, which is available for platforms like AIX, Linux, z/OS and IBM i.

"The actual root cause of the issue hasn't been addressed at all," Adam Gowdiak, CEO of Security Explorations, said in a message sent Monday to the Full Disclosure mailing list. "There were no security checks introduced anywhere in the code. The patch relied solely on the idea that hiding the vulnerable method deep in the code and behind a Proxy class would be sufficient to address the issue."

This is the sixth time the company has discovered an ineffective patch from IBM for some of the Java issues that Security Explorations discovered, Gowdiak said. For one vulnerability, IBM released two broken patches in a row, he said.

IBM, in a statement, said it is aware of the vulnerability and is working to address it.

Security Explorations recently changed its vulnerability disclosure policy, saying that it will no longer tolerate broken patches for vulnerabilities that it has responsibly reported to vendors. The company will now publicly disclose how to bypass those fixes without notifying the vendors beforehand.

This is what the company did last month when it found that a patch released by Oracle in 2013 for a critical vulnerability in its own Java runtime was also ineffective. Security Explorations' recent public disclosure, which included proof-of-concept code to bypass the patch, made the vulnerability exploitable again in the latest versions of Java and forced Oracle to release an emergency update on March 23.

The same thing is happening now with the IBM patch. Security Explorations published a detailed technical report explaining how to bypass the company's 3-year-old fix and even released proof-of-concept code to show that the vulnerability can still be exploited in the latest versions of IBM SDK Java Technology Edition.

Breaking the IBM patch requires only "several minor changes to our original proof-of-concept code published in [July] 2013," Gowdiak said. "We verified that a complete Java security sandbox escape could be achieved with it."

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Essentials

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?